Fit for work and worker’s compensation
South West WorkCare Forum | Wednesday 30 August, 2023
As public authorities, West Australian local governments have to balance the tension between public expectations of transparency and security.
Legislative and regulatory commitments, as well as public expectations, see LGIS members publicly publishing information such as creditor details including names, addresses, emails, EOIs and respondents, and contract appointments.
It’s important that local governments – officers and councillors – recognise that commitment to transparency also increases vulnerabilities to social engineering attacks.
Training your people is a key element of your WHS responsibilities and LGIS has developed a suite of workshops to address common issues within local governments.
Definitions
Social engineering: Social engineering or ‘human hacking’ involves psychological manipulation to trick users into divulging confidential information or gaining unauthorised access to systems.
Phishing: Is a form of social engineering, it involves the fraudulent practice of sending emails or other messages pretending to be from reputable sources in order to induce individuals to reveal personal information, such as passwords and credit card numbers, or change financial details such as creditor
bank accounts.
South West WorkCare Forum | Wednesday 30 August, 2023
Getting back to work – Injury
management, LGIS Office Ergonomic Champions and more.
Mental health issues are increasingly prevalent throughout organisations; 1 in 5 Australians are
diagnosed with a mental health condition every year (such as depression, anxiety and substance use).
A WA regional local government recently fell victim to a social engineering fraud scheme leading to a financial loss of over $1 million. An employee received a phishing email, which looked like it was from one of their service providers. Opening a document attached to the said email subsequently gave the hackers access to their supplier list. The hackers then deceived those staff members to make changes to the payment information for a supplier within the financial system to a nonlegitimate bank account.
In one of the emails the scammers, impersonating a member of the finance team, said that they had already verified the new account details of the supplier and requested this change.
There was a series of automatic email conversations between the two employees over change of supplier’s account details, which were never received by the owner of the hacked email address.
Attackers had created several rules in the email settings through which all emails received from another employee were marked as read and sent to RSS subscriptions folder. It was a routine check of risky sign logs conducted by the local government’s authorised cyber-security supplier which noticed unauthorised logins from another country.
The request to change account details was not verified outside of the email conversation.
The local government relied on email conversations because the employees were not in the office together, and worked remotely.
It is important to note here that the banking institution did inform the local government member before processing the amount to the new bank account; however they permitted the transaction considering that, in their view, the new bank details were completely genuine. Following that the payment was made into the scammers account.
The local government discovered that they had been compromised when the legitimate supplier contacted them following up payment of invoices. The local government then discovered that payment for two legitimate invoices had been made to the wrong account.
Common scams associated with BEC:
Tips to prevent social engineering risks
For support on improving your local government’s cyber-security practices, contact the LGIS risk team.
Whether it’s making sure that waste is collected, roads are maintained and that sports fields are bounce down ready, it only happens because of the sector’s specialist equipment and operators’ breadth of fleet and assets.
The City of Mandurah was one of the 17 LGIS members who participated in the motor fleet pilot program. Across the City there’s
a proactive risk approach and this was apparent when assessing
their fleet and plant management.
It was April 2022 when the LGIS injury prevention team visited Craigie Leisure Centre (CLC) to review the Kindy Gym program.
LGIS is the unifying name for the dedicated suite of risk financing and management services for WA local governments, established by the WA Local Government Association in conjunction with JLT Public Sector (part of the Marsh group of companies). LGIS is managed by JLT Public Sector (ABN 69 009 098 864 AFS Licence 226827).
Risk Matters, via this website, is designed to keep members, their staff and elected members informed on topical risk management and insurance issues and LGIS programs and services.